| T O P I C R E V I E W |
| tonyFSMO |
Posted - 04/23/2012 : 11:24:46 AM
Hi All, recently our 10.6 macs have started unbinding from our AD domain everytime they try to change their machine account password. We have no idea why and we have not executed any changes on the AD or Macs recently. Here is a sample of the logs that are being generated. Any ideas would be super helpful:
An Error Event occured. EventID: 0xC000001A
Time Generated: 04/14/2012 10:54:14
Event String: While processing an AS request for target service
krbtgt, the account tonyd did not have a
suitable key for generating a Kerberos ticket
(the missing key has an ID of 2). The requested
etypes were 18. The accounts available etypes
were 23 -133 -128 3 -140.
An Error Event occured. EventID: 0xC000001A
Time Generated: 04/14/2012 10:55:59
Event String: While processing an AS request for target service
krbtgt, the account richt did not have a
suitable key for generating a Kerberos ticket
(the missing key has an ID of 2). The requested
etypes were 18. The accounts available etypes
were 23 -133 -128 3 -140.
An Error Event occured. EventID: 0xC000001A
Time Generated: 04/14/2012 11:05:20
Event String: While processing an AS request for target service
krbtgt, the account marks did not have a
suitable key for generating a Kerberos ticket
(the missing key has an ID of 2). The requested
etypes were 18. The accounts available etypes
were 23 -133 -128 3 -140.
......................... SAD01 failed test systemlog
|
| 5 L A T E S T R E P L I E S (Newest First) |
| tonyFSMO |
Posted - 04/24/2012 : 10:13:23 AM
Thanks guys we've engaged Apple Enterprise support and Microsoft. I'll let you know what we find.
|
| Rastor728 |
Posted - 04/24/2012 : 10:10:19 AM
I would check out your latest patches to those MAC OS's!
On more than one occasion (used to be a K12 Sys Admin), I have had patches and updates break the AD Binding process (almost always related to DNS changes on OS X) and for me to have all the MAC's rejoin the domain. Check out the Apple Support forums and you might see some similar posts if Apple hasn't deleted them already. Apple is very tight on the "type" of post in their support forums, if it sounds too much like complaining and "bad mouthing" their product the post will come down regardless of accuracy or content. |
| wkasdo |
Posted - 04/23/2012 : 3:44:48 PM
Tony, I have no idea. I don't know anything about Macs. I do know a bit about Kerberos and the password changing algorithms, so I'm basically just thinking along with you. I'd look at the logs to see if anything stands out.
If you are able to trigger the password change, it would be even better. You could make a network trace. |
| tonyFSMO |
Posted - 04/23/2012 : 3:03:50 PM
Hi Wkasdo, thanks for replying. Most of the DCs are 2003, but we do have one 2008 R2 DC in the domain.
How do you want me to send the logs?
The other piece of the puzzle that bothers me is that to our knowledge nothing in the environment changed in either AD or on the Mac side and then one day Mac OSX 10.6 and 10.5 machines started failing. We know the failures start when the Mac tries to change its machine password (about every 14 days), but why all of sudden does this no longer work? It works for 10.7 macs? |
| wkasdo |
Posted - 04/23/2012 : 2:37:30 PM
Are these 2003 DC's? If so, it's unrelated.
Any chance of getting a client log, from whatever service on a mac is responsible of changing the computer password? |
